Map Currency Indication <CR_5.1>

Describe how and where your capability indicates
the most recent CVE version used to create or update its mappings (required):

Upon ImmuniWeb security assessment completion customer receives assessment report in PDF format. In the report all the detected vulnerabilities are presented in a table format with various technical fields. All the vulnerabilities that are publicly known and have CVE ID assigned will have the following field:

Vulnerability CVE ID: CVE ID-HERE

In case if CVE ID is not assigned for a vulnerability, the value of this filed will be "Not Assigned".

It is important to mention that some of the detected vulnerabilities (for example in in-house web applications and private software) don’t have and quite probably will never have a CVE ID.

Map Currency Update Approach <CR_5.2>

Indicate how often you plan on updating the mappings
to reflect new CVE versions and describe your approach to keeping reasonably
current with CVE versions when mapping them to your repository (required):

ImmuniWeb provides customer with a PDF report that is up2date on the date of delivery. All CVE IDs mentioned in the report are up2date on the date of delivery. CVE IDs are manually verified by security auditor to assure their accuracy and actuality.

Map Currency Update Time <CR_5.3>

Describe how and where you explain to your customers the timeframe they
should expect an update of your capability’s mappings to reflect newly
available CVE content (required):

Upon receipt of ImmuniWeb security assessment report customer may refer to Vulnerability Databases, for example to OSVDB (http://osvdb.org) with which High-Tech Bridge collaborates, to get the latest information about CVE IDs, CVE content and vulnerabilities statuses.

The report itself is not updatable after delivery due to the nature of the service. However, we do our best efforts to include all information about vulnerability (such as vendor patch or any unofficial solutions, VDBs entireties, etc.) and CVE content into report that is publicly available on the date of ImmuniWeb security assessment.

Map Content Selection Criteria <CR_5.4>

Describe the criteria used for determining the relevance of a given
CVE Identifier to your Capability (required):

CVE ID is manually verified by ImmuniWeb auditors on various trustable sources, such as NIST and various Vulnerabilities Databases.

Map Currency Update Mechanism <CR_5.4>

Describe the mechanism used for reviewing CVE for content changes (required):

As already mentioned above, CVE IDs indicated in ImmuniWeb PDF report are not updatable due to the nature of the service. Therefore there is no need for a procedure to monitor such changes.

However, in the assessment report customer will be provided with hyperlinks to trustable web resources that describe vulnerabilities with assigned CVE IDs, which are supposed to be updated if the customer visits them in the future.

Please refer to <CR_5.3> for more details.

Map Content Source <CR_5.5>

Describe the source of your CVE content (required):

Main sources are NIST and various Vulnerabilities Databases.

If the vulnerability was discovered by High-Tech Bridge Security Research Lab (https://www.htbridge.com/advisory), which is also CVE-Compatible since 2012, we have CVE ID received directly from CVE Numbering Authority.

CVE and Compatibility Documentation<CR_4.1>

Provide a copy, or directions to its location,
of where your documentation describes CVE and CVE compatibility for
your customers (required):

We believe that the best and the most appropriate resource with CVE documentation that can provide our customers with the most complete, accurate and latest information about CVE is the official CVE website. Each ImmuniWeb security assessment report contains a hyperlink to it.

Documentation of Finding Elements Using CVE Names <CR_4.2>

Provide a copy, or directions to its location, of
where your documentation describes the specific details of how your
customers can use CVE names to find the individual security elements
within your capability’s repository (required):

ImmuniWeb customers can use default built-in Adobe Reader (or any other PDF document reading software) search function to search vulnerabilities in the report by CVE ID. This feature is obvious and does not require specific documentation.

Documentation of Finding CVE Names Using Elements
<CR_4.3>

Provide a copy, or directions to its location, of
where your documentation describes the process a user would follow to
find the CVE names associated with individual security elements within
your capability’s repository (required):

Type-Specific Capability Questions

Service Questions

Service Coverage Determination Using CVE Names <CR_A.3.1>

Give detailed examples and explanations of the different ways
that a user can use CVE names to find out which security elements
are tested or detected by the service (i.e. by asking, by providing
a list, by examining a coverage map, or by some other
mechanism) (required):

Each vulnerability in ImmuniWeb security assessment report is presented in a table that has the following fields:

CVE ID

CWE-ID

CVSSv2 Base Score

These fields make obvious which security tests were performed by ImmuniWeb.

Detailed information about each vulnerability type that is detected by ImmuniWeb is publicly available in our CWE Glossary, https://www.htbridge.com/vulnerability/, which is also mentioned in the report.

Finding CVE Names in Service Reports Using Elements <CR_A.3.2>

Give detailed examples and explanations of how, for reports that
identify individual security elements, the user can determine the
associated CVE names for the individual security elements in the
report (required):

In ImmuniWeb security assessment report for each detected security vulnerability there is field in the table named "Vulnerability CVE ID" that contains CVE ID if it is assigned by CVE numbering authority. See <CR_5.1> for more details.

Electronic Document Format Info <CR_B.3.1>

Provide details about the different electronic document formats that
you provide and describe how they can be searched for specific
CVE-related text (required):

ImmuniWeb security assessment report is provided in PDF format only.

Built-in search functions of PDF document reading software can be easily used to search vulnerabilities by specific CVE ID.

Electronic Document Listing of CVE Names <CR_B.3.2>

If one of the capability’s standard electronic documents
only lists security elements by their short names or titles provide
example documents that demonstrate how the associated CVE names are
listed for each individual security element (required):

ImmuniWeb report is well structured, and each table with vulnerability description is located on a separate page of the PDF document. As already mentioned above, each vulnerability description is presented in a table format that always contain highly visible "Vulnerability CVE ID" field.

Therefore, customers will be able to see CVE ID associated with vulnerability without any efforts (in case if CVE ID is assigned by CVE numbering authority to the vulnerability and disclosed by the date of security assessment).

Finding Elements Using CVE Names Through the GUI <CR_B.4.1>

Give detailed examples and explanations of how the
GUI provides a "find" or "search" function for the
user to identify your capability’s elements by looking for their associated
CVE name(s) (required):

It depends on the software that user uses to read ImmuniWeb security assessment report that is delivered in PDF format.

For Adobe Reader it’s enough just to press "CTRL+F" key combination to get a search input box, which can be used to search vulnerabilities by CVE ID or any other search parameter.

GUI Element to CVE Name Mapping <CR_B.4.2>

Briefly describe how the associated CVE names are
listed for the individual security elements or discuss how the user
can use the mapping between CVE entries and the capability’s elements,
also describe the format of the mapping (required):

Statement of Compatibility <CR_2.7>

Have an authorized individual sign and date the
following Compatibility Statement (required):

"As an authorized representative of my organization I agree
that we will abide by all of the mandatory CVE Compatibility Requirements
as well as all of the additional mandatory CVE Compatibility Requirements
that are appropriate for our specific type of capability."

Name: Ilia Kolochenko

Title: CEO

Statement of Accuracy <CR_3.4>

Have an authorized individual sign and date the
following accuracy Statement (recommended):

"As an authorized representative of my organization and to
the best of my knowledge, there are no errors in the mapping between
our capability’s Repository and the CVE entries our capability identifies."

FOR TOOLS ONLY - Have an authorized individual sign
and date the following statement about your tools efficiency in identification
of security elements (required):

"As an authorized representative of my organization and to
the best of my knowledge, normally when our capability reports a specific
security element, it is generally correct and normally when an event
occurs that is related to a specific security element our capability
generally reports it."